Configuring and Using an FTP Proxy

Mick shows you how to add a layer of security between the bad guys and your public FTP servers.

Restricting FTP Commands

Now we return to ftp-proxy.conf (Listing 1) and one of
ftp-proxy's most important features: ValidCommands. This is a
comma-delimited list of FTP commands the proxy will allow. The list
may span multiple lines if you end each line (except for the last)
with a backslash (\). In the ValidCommands statement at the bottom
of Listing 1, ftp-proxy has been configured to allow FTP directory
navigation commands (PWD, CWD, CDUP) and FTP read commands (LIST,
NLST, RETR), plus some additional administrative commands such as
MODE, PORT and PASV.

Space does not permit me to explain all of these in depth,
other than to say that these aren't end-user FTP client commands;
they're FTP protocol commands as specified in RFC 959 (see
ftp.isi.edu/in-notes/rfc959.txt).
These are the commands that FTP client and server applications use
with each other. See Table 1 for a summary.

One limitation of ftp-proxy is that it isn't possible to set
different command restrictions for external users than for internal
users. Be careful, therefore, with ValidCommands. If your internal
users need to send files to FTP servers, you won't be able to
restrict the STOR or STOU commands (i.e., you'll need to include
them in ValidCommands), which means you'll need to make sure your
read-only public FTP server is itself configured to disregard
them.

That isn't such a bad thing. Regardless of how ftp-proxy is
configured, you still need to configure your FTP servers to protect
themselves as much as possible.

Conclusion

An FTP proxy adds an important layer of security between the
bad guys and your public FTP servers. I've shown you the basics of
setting up a transparent FTP proxy using SuSE's proxy-suite, but it
supports many other worthwhile features we haven't covered here.
See the Resources section for pointers to additional information.
Good luck!

Mick
Bauer
(mick@visi.com) is a
network security consultant for Upstream Solutions, Inc., based in
Minneapolis, Minnesota. He is the author of the upcoming O'Reilly
book Building Secure Servers with Linux, composer of the “Network
Engineering Polka” and a proud parent (of children).

This is a great tutorial..I followed these steps and was able to configure this on our SuSe servers and its working great. However, wanted to confirm if there a commercial support for this product from SuSE or any other vendor? we need to convince our management that this is supported. Or is there any other FTP proxy solution out there which is supported..
Any help would be appreciated..